I have configured a form-base authentication using Spring security. It works fine when I log in using the login form in my web application.
It also works with cURL:
curl --data "j_username=myname&j_password=mypassword" http://localhost:8080/test/j_spring_security_check --verbose However, I cannot make it works using Postman:
What is missing? I need to be authenticated in order to test other services.
You can achieve authentication/authorization in postman through various authorization types given in postman dropdown under Authorization tab.
Below is the step to use Basic Auth which by default spring security provides.
In spring security you can customize your credentials in application.properties file as given below.
spring.security.user.name=yer spring.security.user.password=galem
Finally I managed making Postman aware of authentication by using the Postman Interceptor chrome extension
With the extension enabled (by clicking the satellite icon within the Postman App), you just need to log in using the login form of your web and then you can start using services that require authentication in Postman.
Using http.httpBasic worked for me.
http.httpBasic() .and() .authorizeRequests() .antMatchers("/api/home") .hasRole("ADMIN") .antMatchers("/api/product/*") .hasRole("ADMIN") .and() .formLogin(); For me the Postman Interceptor was not working,
So I did the following and now I can login to the server.
When using basic auth on postman, you will set the credentials on the authorization tab. Click on Authorization, choose the type as Basic Auth, the credentials section will be displayed for you to key in the username and password.
http.httpBasic is working for Testing spring security with Postman.
For example, Added the override configure method from the configuration class MyConfiguration.java
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/admin/**").hasRole("ADMIN") .antMatchers("/**").permitAll().anyRequest().authenticated() .and().formLogin().permitAll().and().logout().permitAll().and().httpBasic(); http.cors().disable().csrf().disable(); } Note: To access the POST, PUT, and DELETE request you need to disable the cors and csrf as per code above.
What worked for me is:
Create POST request to given security endpoint
Set j_username and j_password in the x-www-form-urlencoded tab: 
Put headers as follows: 
In the settings tab I disabled following redirects: 
In that way when you call the request you will be able to check what was the result, for instance check the Set-Cookie Headers.
After calling this request you should be able to see the Set-Cookie and Location headers like: 
This cookie which was just set should be used for all next requests for given domain. In that way those will be authenticated.
